Number of seconds FortiNAC waits before a host that has failed the Persistent Agent Check will be switched to the Quarantine or Remediation VLAN.

Default = 0 seconds

Number of seconds FortiNAC waits after receiving a linkup trap before reading the forwarding table from the switch associated with the trap.

Default setting = 10 seconds

Maximum number of Trap Periods that the appliance waits before reading the switch forwarding tables.

If the switch does not have the MAC address information for the port that generated the linkup trap, the appliance places the switch back into the queue. Once the Minimum Trap Period has expired, the forwarding table on the switch is read again.

If another linkup trap is generated by the same switch the trap period time is reset.

Default setting = 4

For example, if the Minimum Trap Period is set to 20 seconds and the Max Number of Trap Periods is set to 2, the longest the appliance will wait to read the switch forwarding tables is 40 seconds.

After receiving a Cold/Warm Start trap, FortiNAC waits for the amount of time specified in that field before polling the switches.

Note: When the L2 poll is scheduled at the same time the delay is in progress, the poll gets delayed until the Cold Start/Warm Start Trap Delay interval is finished.

Number of seconds FortiNAC waits before switching a port to the production VLAN.

This allows the user registering a host time to read the information on the Registration Success page.

Default setting = 5 seconds

If another host connects to the same switch during the Registration Delay time, the switch updates and the port is switched to the production VLAN without waiting for the delay time to expire.

When the number of MAC addresses on a port exceeds this value the port is changed to an uplink. Setting this value to a higher number can help to indicate Multi-Access points.

Default setting = 20

For example, setting this value to 7 changes the port to an uplink if a minihub with 8 ports is connected on the port.

See Port properties.

When using telnet to contact devices, this setting determines how long the server waits for a response from the device before timing out.

Default = 12 seconds

Number of seconds FortiNAC waits before resetting the VLAN of a port that has no connected hosts or devices. The port must be a member of either the Reset to Registration group or the Reset to Default port group. If the port is a member of both groups, the Registration VLAN takes precedence.

Default = 60 seconds

Number of seconds FortiNAC waits between disabling and reenabling a port when switching it to another VLAN.

Default setting = 8 seconds

If this value is left as zero (0) the host may have an invalid IP on the new VLAN.

Supported for wired connections only.

The default is set to 5 minutes.

Non-zero value: The number of minutes after which, if the same MAC address has been detected on two devices/ports simultaneously on two different switches, the Possible MAC address Spoof event will be generated.

Workflow:

1. Two devices connect with the same MAC address: one to switch A and on to switch B
2. L2 poll of switch A (detects one of the devices)
3. L2 poll of switch B (detects the other device)
4. Wait the number of minutes specified by MAC address Spoof Time Delay value
5. L2 poll of switch A
6. L2 poll of switch B
7. If the MAC address is still detected in both locations, Possible MAC address Spoof event is generated

Note:

• An event will not be generated if both devices with the same MAC address are connected to the same physical switch.

• A long age time in a host may cause the MAC address of the host to be falsely reported as connected to more than one device at the same time. For example, Host A is connected to Switch A with an age time of 10 minutes. Host A is moved to Switch B and FortiNAC updates the location. FortiNAC reads Switch A which still shows Host A as online because Host A has not yet aged out.

Zero (0) value: (Recommended - available in FortiNAC Versions 8.8.8, 9.1.2 and above) Enables two features:

• The Possible MAC address Spoof event will be generated on every connection move that occurs on an L2 Poll.

• The Possible MAC address Spoof event will be generate on a connection move, that occurs on the same physical Switch.

When enabled, the appliance looks for multiple MAC addresses on ports each time a switch is read.

Default = Disabled

To have an event generated when multiple MAC addresses are detected on a port the Multi-Access Point Detected event must also be enabled. However, if the port is in the Authorized Access Points group an event is not generated.

See Event management to enable the Multi-Access Point Detected event. See System groups to determine if the port is in the Authorized Access Points group.

The number of MAC addresses that are allowed on a port before a Multi-Access Point Detected event is generated.

When enabled, allows FortiNAC to query devices about other connected devices on the network. If a device has this discovery protocol enabled it gathers and stores information about devices it manages and devices it can contact on the network. Only devices with CDP enabled will respond to a CDP query.

This is a global setting for the system. If this setting is enabled, devices can be set individually on the Polling Tab of the Device Properties View. If this setting is disabled, the device setting is ignored and the CDP feature is not used when polling a device. Devices that have the capacity for CDP must have the feature configured on the device's firmware.

Default = Enabled

When enabled, allows devices to advertise information and their identity to neighboring devices connected to the same network.

Limits the number of layers from the original device that will be queried using Cisco Discovery Protocol. For example, if the Depth is set to 1, then FortiNAC will only query for devices that are directly connected to the device with the starting IP address during the Discovery process. If the Depth is set to 2, then FortiNAC stops querying after it reaches the second level of devices away from the starting IP address.

See Discovery.

When enabled, FortiNAC will not process MAC Notification Traps for IP Phones. This setting is enabled by default.

Disabling this setting may cause FortiNAC to process large numbers of traps, resulting in decreased performance.

When enabled Network Access Policies will be applied to Wireless Access Points connected to the network. Note the port it is connected to must be a member of the Role-Based Access group.

A port group which will be populated when a Wireless Access Point is connected. The port it connects to will be added to the group. The port will not be automatically removed from the group.